4. Implementing Security on Cisco Routers 45 1. Router Access Security
4.3. Access Lists and Filtering
Cisco IOS uses access lists to separate data traffic into that which it will process (permitted packets) and that which it will not process (denied packets). Secure configuration of Cisco routers makes very heavy use of access lists, for restricting access to services on the router itself, and for filtering traffic passing through the router. This section gives a moderately detailed description of access list syntax, with some extensive examples.
4.3.1. Concepts
Access lists on Cisco routers provide packet filtering capability. An access list contains one or more rules. For IP traffic, there are two types of access lists
available: standard and extended. Standard access lists only allow source IP address filtering. Extended access lists can permit or deny packets based on their protocols, source or destination IP addresses, source or destination TCP/UDP ports, or ICMP or IGMP message types. Extended access lists also support selective logging. Both standard and extended IP access lists can be applied to router interfaces, vty lines (for remote access), IPSec, and routing protocols. Only standard IP access lists can be applied to SNMP.
Syntax
The basic structure for an access list rule is shown below.
access-list access-list-number {deny | permit} condition
The access list number tells Cisco IOS which access list the rule should be a part of, and what kind of access list it is. The condition field, which is different for each kind of access list, specifies which packets match the rule. Conditions typically in volve protocol information and addresses, but do not involve application-level information.
The following is the syntax for a statement (rule) in a standard IP access list:
access-list access-list-number {deny | permit} source [source-wildcard]
where access-list-number is the number of the access list and can be any decimal number from 1 to 99.
deny denies access if the condition is matched.
permit permits access if the condition is matched.
source is the IP address of the network or host from which the packet is being sent.
source-wildcard is the wildcard bits to be applied to the source.
The following is simplified syntax for a statement in an extended IP access list:
access-list access-list-number {deny | permit} protocol source source-wildcard source-qualifiers
destination destination-wildcard destination-qualifiers [ log ] where access-list-number is the number of the access list and can be any
decimal number from 100 to 199.
deny denies access if the condition is matched.
permit permits access if the condition is matched.
protocol is the name or number of an IP -related protocol. It can be one of the following keywords: eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp or udp. Or it can be an integer in the range 0 to 255 representing an IP protocol number. (Some protocols allow further qualifiers: source or destination ports can be specified for tcp or udp, and message types can be specified for icmp or igmp.) source is the IP address of the network or host from which the packet is being sent.
source-wildcard is the wildcard bits to be applied to the source. The keyword any can be used in place of source and source-wildcard.
source-qualifiers are further details on the packet source, including port numbers and other protocol-specific information. Use of the qualifiers is optional.
destination is the IP address of the network or host to which the packet is being sent.
destination-wildcard is the IP address wildcard bits to be applied to the destination. The keyword any can be used in place of destination and destination-wildcard.
destination-qualifiers are further details on the packet destination, including port numbers and other protocol-specific information. Use of the qualifiers is optional.
log, if present, causes an informational message about the packet that matches the statement to be logged (see Section 4.5.1).
Cisco has also created an alternative called named IP access lists for both standard and extended lists. This feature allows you to refer to an access list by name instead of by number. It also provides a convenient way to build lists on-line. The syntax for defining an IP access list by name is shown below. After the list is defined by name, one creates statements beginning with either the permit or deny keyword.
After the permit or deny keyword the syntax is the same as defined above for either the standard list or the extended list.
ip access-list {standard | extended} name
where standard specifies a standard IP access list.
extended specifies an extended IP access list.
name is the name of the access list. The name cannot contain spaces or punctuation and must begin with an alphabetic character.
General Recommendations
Refer to the two tables in Section 3.2.2 that present common services to restrict because they can be used to gather information about an internal network or they have weaknesses that can be exploited. The first table lists those services that should be completely blocked at the router; they should not be allowed across the router in either direction or to the router. The second table lists those services on the internal network or on the router that should not be accessible by external clients.
In each access list there must be at least one permit statement. Otherwise, an access list with no permit statements will block all network traffic wherever it is applied.
Note that an access list is applied to packets traveling in one direction only. For any connection that requires two-way interaction (e.g., all TCP traffic, some UDP traffic) the access list will only affect approximately half the packets. It is possible however to apply two access lists (one for each direction) for router interfaces, vty lines and routing protocols. The diagram below shows how access lists work when applied to router interfaces, using the router East as an example.
Figure 4-2: Conceptual Model for Access Lists on Interfaces
East
14.1.0.0/16 E t h 1 14.2.6.0/24
14.2.6.250 Eth0
14.1.1.20
Interface Eth0 Interface Eth1
Trash Trash
Inbound Access List
Inbound Access List
O u t b o u n d Access
List Outbound
Access List
R o u t i n g Fabric
p e r m i t
p e r m i t
p e r m i t
p e r m i t d e n y d e n y
14.1.0.0 network
14.2.6.0 network
Use the log keyword at the end of each deny statement in each extended access list, as shown in the example below. This feature will pr ovide valuable information about what types of packets are being denied. Logs of denied packets can be useful for detection and analysis of probes and attacks against a network. Section 4.5.1 describes IOS’s logging features in more detail.
East(config)# access-list 102 permit ip 14.2.6.0 0.0.0.255 any East(config)# access-list 102 deny ip any any log
Add the following statements at the end of each extended IP access list to deny and to log any packets that are not permitted. These statements will guarantee that the router will log the values for the source and destination ports for TCP and UDP traffic.
East(config)# access-list 100 deny tcp any range 0 65535 any range 0 65535 log
East(config)# access-list 100 deny udp any range 0 65535 any range 0 65535 log
East(config)# access-list 100 deny ip any any log
Finally, due to limited editing capability on the Cisco router, you cannot easily modify access lists. Thus, whenever you needs to change an access list, it is best to build it offline on a separate computer. When the access list is ready you can cut and paste the access list via a connection to the router. Since the original access list is still on the router, you must purge it before adding the updated access list. Below is an example of how to clear an access list.
East(config)# no access-list 100
4.3.2. Filtering Traffic to Router Itself
Access lists are used in a variety of ways to control access to services on the router itself. While it is possible to incorporate access controls for these services into the access lists placed on interfaces, it is typically easier and more reliable to use the specialized facilities that IOS makes available to apply access controls directly to the services themselves. For more information about services on the router, and how to disable unneeded ones, see Section 4.2.
Remote Login (Telnet) Service
There are a number of methods to filter access to the router itself: vty lines, SNMP servers and routing protocols. The vty lines are used for remote access to the router.
Typically, a router administrator telnets to one of the vty lines. The following example shows the configuration of an extended IP access list that is applied to the vty lines. This simple IP access list allows the hosts with IP addresses 14.2.6.1 and 14.2.6.18 to connect to the router East via Telnet. The list denies all other
connections. It also logs all successful and unsuccessful connections.
East(config)# access-list 105 permit host 14.2.6.1 any eq 23 log East(config)# access-list 105 permit tcp host 14.2.6.18 any eq 23 log East(config)# access-list 105 deny ip any any log
East(config)# line vty 0 4
East(config-line)# access-class 105 in East(config-line)# end
SNMP Service
A Cisco router can be configured to act as a client for SNMP. Whe n SNMP service is enabled on a router, network management tools can use it to gather information about the router configuration, route table, traffic load, and more. Versions 1 and 2 of SNMP are not considered very secure due to the lack of strong authentication.
Thus, SNMP be used only on the internal or protected network. The following example shows the configuration of a standard IP access list that is applied to a snmp server. This access list allows the host with IP address 14.2.6.6 to gather SNMP information from the router. The list denies all other connections.
East(config)# access-list 75 permit host 14.2.6.6
East(config)# snmp-server community n3t-manag3m3nt ro 75
For more information about SNMP configuration, see Sections 4.2.2 and 4.5.3.
OSPF Service
Communications between routers for routing table updates involve routing protocols.
These updates provide directions to a router on which way traffic should be routed.
You can use access lists to restrict what routes the router will accept (in) or advertise (out) via routing protocols. The following example shows the configuration of an extended IP access list applied to the OSPF routing protocol, area 1. With the access list applied, router North will not advertise routes to the 14.2.9.0 network.
North(config)# access -list 10 deny 14.2.9.0 0.0.0.255 any North(config)# access -list 10 permit any
North(config)# router ospf 1
North(config-router)# distribute-list 10 out North(config-router)# end
For more information about OSPF security configuration, see Section 4.4.
4.3.3. Filtering Traffic through the Router
The following examples illustrate methods to protect the router or the internal network from attacks. Note: these separate examples should not be combined into one access list because the result would contain contradictions. In the next section an example configuration file is presented that shows one way to combine these
methods into access lists. Refer to the network diagram in Figure 4-1 to understand the example interfaces, their IP addresses and the corresponding access lists.
IP Address Spoof Protection
Inbound Traffic
Do not allow any inbound IP packet that contains an IP address from the internal network (e.g., 14.2.6.0), any local host address (127.X.X.X), the link-local DHCP default address (169.254.0.0), or any reserved private addresses (refer to RFC 1918) in the source field. Apply this access list to the external interface of the router, as shown in the transcript below.
East(config)# access-list 100 deny ip 14.2.6.0 0.0.0.255 any log East(config)# access-list 100 deny ip 127.0.0.0 0.255.255.255 any log East(config)# access-list 100 deny ip 10.0.0.0 0.255.255.255 any log East(config)# access-list 100 deny ip 172.16.0.0 0.15.255.255 any log East(config)# access-list 100 deny ip 192.168.0.0 0.0.255.255 any log East(config)# access-list 100 deny ip 169.254.0.0 0.0.255.255 any log East(config)# access-list 100 permit ip any 14.2.6.0 0.0.0.255
East(config)# interface eth0/0
East(config-if)# description "external interface"
East(config-if)# ip address 14.1.1.20 255.255.0.0 East(config-if)# ip access-group 100 in
East(config-if)# exit
East(config)# interface eth0/1
East(config-if)# description "internal interface"
East(config-if)# ip address 14.2.6.250 255.255.255.0 East(config-if)# end
Outbound Traffic
Do not allow any outbound IP packet that contains an external IP address in the source field. Apply this access list to the internal interface of the router. See example rules below.
East(config)# no access-list 102
East(config)# access-list 102 permit ip 14.2.6.0 0.0.0.255 any East(config)# access-list 102 deny ip any any log
East(config)# interface eth 0/1
East(config-if)# description "internal interface"
East(config-if)# ip address 14.2.6.250 255.255.255.0 East(config-if)# ip access-group 102 in
On most Cisco routers, IOS 12 offers an another mechanism for IP address spoof protection: IP reverse-path forwarding verification. Though specialized, and not suitable for all networks, this facility offers good performance and ease of
maintenance. Section 4.4.5 shows how to set up reverse-path forwarding verification on routers that support it.
Exploits Protection
This sub-section describes how to use access lists to defeat or discourage several common attacks using IOS traffic filtering capabilities.
TCP SYN Attack
The TCP SYN Attack involves transmitting a volume of connections that cannot be completed at the destination. This attack causes the connection queues to fill up, thereby denying service to le gitimate TCP users. The following shows two different scenarios.
External Access Blocked
The access list rules shown below will block packets from an external network that have only the SYN flag set. Thus, it allows traffic from TCP connections that were established from the internal network, and it denies anyone coming from any external network from starting any TCP connection.
East(config)# access-list 106 permit tcp any 14.2.6.0 0.0.0.255 established East(config)# access-list 106 deny ip any any log
East(config)# interface eth 0/0
East(config-if)# description "external interface"
East(config-if)# ip access-group 106 in
Limiting External Access with TCP Intercept
The access list rules shown below will block packets from unreachable hosts using the TCP intercept feature; thus, it only allows reachable external hosts to initiate connections to a host on the internal network. In intercept mode the router intercepts each TCP connection establishment, and determines if the address from which the connection is being initiated is reachable. If the host is reachable, the router allows the connection to be established; otherwise, it prevents the connection.
East(config)# ip tcp intercept list 107
East(config)# access-list 107 permit tcp any 14.2.6.0 0.0.0.255 East(config)# access-list 107 deny ip any any log
East(config)# interface eth 0/0
East(config-if)# description "external interface"
East(config-if)# ip access-group 107 in
Tcp intercept is a very effective mechanism for protecting hosts on a network from outside TCP SYN attacks, for extensive details consult the Cisco IOS 12 Security Configuration Guide [5]. However, the tcp intercept feature is available in most, but not all, Cisco IOS version 11.3 and 12.0 releases.
Land Attack
The Land Attack involves sending a packet to the router with the same IP address in the source address and destination address fields and with the same port number in the source port and destination port fields. This attack may cause a denial of service or degraded capability in the router. The example below shows how to prevent this attack.
East(config)# access-list 100 deny ip host 14.1.1.20 host 14.1.1.20 log
East(config)# access-list 100 permit ip any any East(config)# interface eth0/0
East(config-if)# description "external interface to 14.1.0.0/16"
East(config-if)# ip address 194.168.20.20 255.255.255.0 East(config-if)# ip access-group 100 in
East(config-if)# end East#
Smurf Attack
The Smurf Attack involves sending a large amount of ICMP Echo packets to a subnet's broadcast address with a spoofed source IP address from that subnet. If a router is positioned to forward broadcast requests to other routers on the protected network, then the router should be configured to prevent this forwarding from occurring. This blocking can be achieved by denying any packets destined for broadcast addresses. The example statements below block all IP traffic from any host to the possible broadcast addresses (194.168.255.255 and 194.168.0.0) for the 194.168 subnet.
East(config)# access-list 110 deny ip any host 194.168.255.255 log East(config)# access-list 110 deny ip any host 194.168.0.0 log
ICMP Message Types and Traceroute
There are a variety of ICMP message types. Some are associated with programs. For example, the ping program works with message types Echo and Echo Reply. Others are used for network management and are automatically generated and interpreted by network devices. For inbound ICMP traffic, block the message types Echo and Redirect. With Echo packets an attacker can create a map of the subnets and hosts behind the router. Also, he can perform a denial of service attack by flooding the router or internal hosts with Echo packets. With ICMP Redirect packets the attacker can cause changes to a host’s routing tables. Otherwise, the other ICMP message types should be allowed inbound. See the example below for inbound ICMP traffic.
East(config)# access-list 100 deny icmp any any echo log
East(config)# access-list 100 deny icmp any 14.2.6.0 0.0.255.255 redirect log
East(config)# access-list 100 permit icmp any 14.2.6.0 0.0.255.255
For outbound ICMP traffic, one should allow the message types Echo, Parameter Problem and Source Quench and block all other message types. With Echo packets users will be able to ping external hosts. Parameter Problem packets and Source Quench packets improve connections by informing about problems with packet headers and by slowing down traffic when it is necessary. See the example below for outbound ICMP traffic.
East(config)# access-list 102 permit icmp 14.2.6.0 0.0.0.255 any echo
East(config)# access-list 102 permit icmp 14.2.6.0 0.0.0.255 any parameter-problem
East(config)# access-list 102 permit icmp 14.2.6.0 0.0.0.255 any source-quench
East(config)# access-list 102 deny icmp any any log
Another program that deals with certain ICMP message types is traceroute.
Traceroute is a utility that prints the IP addresses of the routers that handle a packet as the packet hops along the network from source to destination. On Unix and Linux operating systems, traceroute uses UDP packets and causes routers along the path to generate ICMP message types ‘Time Exceeded’ and ‘Unreachable’. An attacker can use traceroute response to create a map of the subnets and hosts behind the router, just as they could do with ping’s ICMP Echo Reply messages. Therefore, block inbound traceroute including a rule in the inbound interface access list, as shown in the example below (ports 33400 through 34400 are the UDP ports commonly used for traceroute).
East(config)# access-list 100 deny udp any any range 33400 34400 log
A router may be configured to allow outbound traceroute by adding a rule to the outbound interface access list, as shown in the example below.
East(config)# access-list 102 permit udp any any range 33400 34400 log
Distributed Denial of Service (DDoS) Attacks
Several high-profile DDoS attacks have been observed on the Internet. While routers cannot prevent DDoS attacks in general, it is usually sound security practice to discourage the activities of specific DDoS agents (a.k.a. zombies) by adding access list rules that block their particular ports. The example below shows access list rules for blocking several popular DDoS attack tools. [Note that some of these rules may also impose a slight impact on normal users, because they block high-numbered ports that legitimate network clients may randomly select.] These rules would normally be applied to traffic in both directions between an internal or trusted network and an untrusted network.
! the TRINOO DDoS systems
access-list 170 deny tcp any any eq 27665 log access-list 170 deny udp any any eq 31335 log access-list 170 deny udp any any eq 27444 log